Commit 08355b76 authored by Max Woolf's avatar Max Woolf Committed by Jarka Košanová

Remove maintainer access to administer compliance frameworks

Alters the permissions matrix to forbid maintainers from
assigning compliance frameworks to a project.
parent 1206515e
......@@ -183,6 +183,7 @@ The following table depicts the various user permission levels in a project.
| Delete pipelines | | | | | ✓ |
| Delete merge request | | | | | ✓ |
| Disable notification emails | | | | | ✓ |
| Administer project compliance frameworks | | | | | ✓ |
| Force push to protected branches (*4*) | | | | | |
| Remove protected branches (*4*) | | | | | |
......@@ -293,6 +294,7 @@ group.
| View Billing **(FREE SAAS)** | | | | | ✓ (4) |
| View Usage Quotas **(FREE SAAS)** | | | | | ✓ (4) |
| Filter members by 2FA status | | | | | ✓ |
| Administer project compliance frameworks | | | | | ✓ |
1. Groups can be set to [allow either Owners or Owners and
Maintainers to create subgroups](group/subgroups/index.md#creating-a-subgroup)
......
......@@ -46,17 +46,17 @@ Compliance framework labels do not affect your project settings.
> - It's [deployed behind a feature flag](../../feature_flags.md), disabled by default.
> - It's disabled on GitLab.com.
> - It's not recommended for production use.
> - To use it in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-custom-compliance-frameworks). **(PREMIUM ONLY)**
> - To use it in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-custom-compliance-frameworks). **(PREMIUM)**
WARNING:
This feature might not be available to you. Check the **version history** note above for details.
GitLab 13.8 introduces custom compliance frameworks at the group-level. A group owner can create a compliance framework label
GitLab 13.9 introduces custom compliance frameworks at the group-level. A group owner can create a compliance framework label
and assign it to any number of projects within that group or sub-groups. When this feature is enabled, projects can only
be assigned compliance framework labels that already exist within that group.
If existing [Compliance frameworks](#compliance-framework) are not sufficient, you can now create
your own.
If existing [Compliance frameworks](#compliance-framework) are not sufficient, project and group owners
can now create their own.
New compliance framework labels can be created and updated using GraphQL.
......@@ -320,7 +320,7 @@ Add the URL of a Jaeger server to allow your users to [easily access the Jaeger
[Add Storage credentials](../../../operations/incident_management/status_page.md#sync-incidents-to-the-status-page)
to enable the syncing of public Issues to a [deployed status page](../../../operations/incident_management/status_page.md#create-a-status-page-project).
### Enable or disable custom compliance frameworks **(PREMIUM ONLY)**
### Enable or disable custom compliance frameworks **(PREMIUM)**
Enabling or disabling custom compliance frameworks is under development and not ready for production use. It is
deployed behind a feature flag that is **disabled by default**.
......
......@@ -388,7 +388,7 @@ module EE
rule { requirements_available & owner }.enable :destroy_requirement
rule { compliance_framework_available & can?(:admin_project) }.enable :admin_compliance_framework
rule { compliance_framework_available & can?(:owner_access) }.enable :admin_compliance_framework
rule { status_page_available & can?(:owner_access) }.enable :mark_issue_for_publication
rule { status_page_available & can?(:developer_access) }.enable :publish_status_page
......
- return unless current_user.can?(:admin_compliance_framework, @project)
- user_has_edit_permissions = current_user.can?(:admin_compliance_framework, @project)
.row
.form-group.col-md-9.gl-mb-6
- if Feature.enabled?(:ff_custom_compliance_frameworks)
- frameworks = @project.namespace.root_ancestor.compliance_management_frameworks
- if user_has_edit_permissions
= f.fields_for :compliance_framework_setting, ComplianceManagement::ComplianceFramework::ProjectSettings.new do |cf|
= cf.label :framework, _('Compliance framework (optional)'), class: 'gl-font-weight-bold'
= cf.label :framework, class: 'gl-font-weight-bold' do
= _('Compliance framework (optional)')
- if frameworks.any?
%p.text-secondary= _('Select required regulatory standard')
%p.text-secondary= _('Select required regulatory standard.')
- selected_default_framework = @project.compliance_framework_setting&.compliance_management_framework&.id
= cf.select :framework, options_for_select(frameworks.map { |fw| [fw.name, fw.id] }, selected_default_framework), { selected: '', disabled: '', prompt: _('Choose your framework'), include_blank: _('None') }, class: 'form-control'
= cf.select :framework, options_for_select(frameworks.map { |fw| [fw.name.truncate(88), fw.id] }, selected_default_framework), { selected: '', prompt: _('Choose your framework'), include_blank: _('None') }, { class: 'form-control', disabled: false }
- else
%p.text-secondary
%p.form-text.text-muted
= _("No compliance frameworks are in use. Create one using the GraphQL API.")
- else
= f.fields_for :compliance_framework_setting, ComplianceManagement::ComplianceFramework::ProjectSettings.new do |cf|
= cf.label :framework, class: 'gl-font-weight-bold' do
= _('Compliance framework')
- if frameworks.any?
- selected_framework = @project.compliance_framework_setting&.compliance_management_framework&.name&.truncate(88) || _('None')
= cf.text_field :framework, value: selected_framework, class: 'form-control read-only', disabled: true
%p.form-text.text-muted
= _("Customizable by owners.")
- else
%p.form-text.text-muted
= _("No compliance frameworks are in use.")
- else
= f.fields_for :compliance_framework_setting, ComplianceManagement::ComplianceFramework::ProjectSettings.new do |cf|
= cf.label :framework, _('Compliance framework (optional)'), class: 'gl-font-weight-bold'
%p.text-secondary= _('Select required regulatory standard')
%p.text-secondary= _('Select required regulatory standard.')
- selected_default_framework = @project.compliance_framework_setting&.compliance_management_framework&.default_framework_definition&.identifier
= cf.select :framework, options_for_select(compliance_framework_options, selected_default_framework), { selected: '', disabled: '', prompt: _('Choose your framework'), include_blank: _('None') }, class: 'form-control'
---
title: Disable ability for maintainers to change project compliance framework
merge_request: 53370
author:
type: changed
......@@ -568,12 +568,9 @@ RSpec.describe ProjectsController do
stub_licensed_features(compliance_framework: true)
end
context 'current_user is a project maintainer' do
let_it_be(:maintainer) { create(:user) }
context 'current_user is a project owner' do
before do
project.add_maintainer(maintainer)
sign_in(maintainer)
sign_in(project.owner)
end
it 'sets the compliance framework' do
......
......@@ -1545,7 +1545,7 @@ RSpec.describe ProjectPolicy do
:developer | false | nil | false
:developer | true | nil | false
:maintainer | false | nil | false
:maintainer | true | nil | true
:maintainer | true | nil | false
:owner | false | nil | false
:owner | true | nil | true
:admin | false | false | false
......
......@@ -27,6 +27,40 @@ RSpec.describe 'projects/edit.html.haml' do
expect(rendered).to match /Custom framework 23/
end
it 'does not include warning message' do
render
expect(rendered).not_to match /Customizable by owners./
end
it 'contains the dropdown' do
render
expect(rendered).to have_css('select[id=project_compliance_framework_setting_attributes_framework]')
expect(rendered).not_to have_css('select[id=project_compliance_framework_setting_attributes_framework][disabled="disabled"]')
end
context 'user is group maintainer' do
let_it_be(:maintainer) { create(:user) }
before do
group.add_maintainer(maintainer)
allow(view).to receive(:current_user).and_return(maintainer)
end
it 'includes warning message' do
render
expect(rendered).to match /Customizable by owners./
end
it 'disables the dropdown' do
render
expect(rendered).to have_css('input[id=project_compliance_framework_setting_attributes_framework][disabled="disabled"]')
end
end
end
context 'group has no compliance frameworks' do
......
......@@ -7396,6 +7396,12 @@ msgstr ""
msgid "Compliance Dashboard"
msgstr ""
msgid "Compliance framework"
msgstr ""
msgid "Compliance framework (optional)"
msgstr ""
msgid "Compliance framework (optional)"
msgstr ""
......@@ -8736,6 +8742,9 @@ msgstr ""
msgid "Customizable by an administrator."
msgstr ""
msgid "Customizable by owners."
msgstr ""
msgid "Customize colors"
msgstr ""
......@@ -19837,6 +19846,9 @@ msgstr ""
msgid "No commits present here"
msgstr ""
msgid "No compliance frameworks are in use."
msgstr ""
msgid "No compliance frameworks are in use. Create one using the GraphQL API."
msgstr ""
......@@ -26231,7 +26243,7 @@ msgstr ""
msgid "Select projects"
msgstr ""
msgid "Select required regulatory standard"
msgid "Select required regulatory standard."
msgstr ""
msgid "Select reviewer(s)"
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment